DNS
DNS analysis
Third-Party Tools
Use these first, as it is completely passive and uses Internet infrastructure instead of your own machine.
DNS Dumpster [https://dnsdumpster.com/]
Shodan [https://www.shodan.io/]
Censys [https://censys.io/]
Dig
Powerful linux based tool used to gather and analyze dns records
Gather All Records for a Domain
This command uses 192.168.1.1
to gather information
dig @192.168.1.1 sec542.org -t any
dig @192.168.1.1 sec560.org +norecursive # Turns off recursion
dig @192.168.1.1 sec560.org +recursive # Turns on recursion
Simplified PTR Lookups
Using the -x
flag is the same as dig 23.1.168.192.in-addr-arpa PTR
dig -x 192.168.1.23
Attempt Full Zone Transfer
Very unlikely to work, most domains should not allow external zone transfers. More likely to happen from the inside though. Always attempt this anyway!
dig @<network dns server> m4lwhere.org -t axfr
dig @<network dns server> AXFR m4lwhere.org
nslookup
We can use nslookup
from a windows host to try and gather information as well.
C:\Users\m4lwhere> nslookup
> server 10.0.0.1
> set type=AXFR
> ls -d goblins.local
DNSrecon
Multi-threaded DNS tool written in python 3
dnsrecon -d m4lwhere.org -n 8.8.8.8
DNS Brute Forcing
Attempt to enumerate DNS hostnames by guessing subdomains.
Gobuster
Uses gobuster for DNS subdomain, is multi-threaded 😎
gobuster dns -d m4lwhere.org -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
Nmap Script
Lots of switches for this command
nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
Last updated
Was this helpful?